# Symbolic methods for cryptography

Embed Size (px)

description

### Transcript of Symbolic methods for cryptography

Computational Soundness

Symbolic methods for cryptography

Bogdan WarinschiUniversity of Bristol

Computational Soundness

Toy example

K K

A, N1

{N1, N2, Ks } K

{B, N2}Ks {D}Ks

A B

Is the data D secret?

Computational Soundness

Security Models

Mathematical model

Security property

Proof method

Computational Soundness

Abstraction Levels

Computational Soundness

Abstraction Levels

Inse

curity

Computational Soundness

Abstraction Levels

Secu

rity

Computational Soundness

Two types of security models

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method Model

Security property

Proof method

Computational Soundness

Outline

• A gap between models for encryption:– security definitions – proofs

• Bridging the gap:

– The passive adversaries case: • the Abadi-Rogaway logic • extensions

– The active adversaries case (tomorrow)

Computational Soundness

Two views of security for encryption schemes

Computational Soundness

Symbolic treatment of encryption

• Messages are elements from a term algebra: – Data = {D1,D2,…},

– Keys = {K1,K2,…}, – Random nonces = {N1,N2,…}, – Identities = {A,B,…}

• BASIC := Data | Keys | Random nonces | Identities

• TERM := BASIC | (TERM, TERM) | {TERM}Keys

• Messages are terms, e.g. N2 , {((B, N1), Ks) }K

Computational Soundness

Symbolic treatment of encryption

• Security for encryption is axiomatized

– Given {M}K adversary can compute M only if it has K

{M}K, K

M

KM,

{M}K

M1, M2

(M1, M2)

(M1, M2)

M1, M2

Computational Soundness

Computational treatment for encryption

• Messages are bitstrings

• Symmetric encryption scheme = (Kg, Enc, Dec)

– Kg(η) outputs a random bitstring k in {0,1}η

– Enc: {0,1}η × {0,1}* → {0,1}* (distribution on {0,1}*)

– Dec: {0,1}η × {0,1}* → {0,1}*

– It holds that: Dec (k, Enc(k,m) ) = m

• E.g. AES-CBC

Computational Soundness

Computational treatment for encryption

= (Kg,Enc,Dec) ;

Enc(K,_)b M0,M1 (|M0|=|M1|)

Enc (K,Mb)

b=?

Encryption scheme is IND-CPA secure if for all adversaries,

Pr [ Adversary guessess b] ½ + negligible function (η)

Computational Soundness

Security of double encryption:

• Is the message M secret ?

K K

A B

{ {M} K }K

Computational Soundness

Security of double encryption: symbolically

• Does there exist a derivation:

{{M}K}

K

………

M

{M}K, K

M

KM,

{M}K

M1, M2

(M1, M2)

(M1, M2)

M1, M2

using only:

Computational Soundness

Security of double encryption: computationally

Enc(K,(Enc(K,_))

b

M0,M1 (|M0|=|M1|)

Enc(K,Enc (K,Mb))

b=?

Computational Soundness

Security of double encryption: computationally

C

b=?

Enc(K,_)

b M0,M0

C0=Enc(K, M0)

M1,M1

C1=Enc(K, M1)

C0,C1

C=Enc(K,(Enc(K, Mb)

M0,M1

Computational Soundness

Two Paradigms for Protocol Analysis

Symbolic Approach

Abstract model

D-Y adversaries

Unclear how to ensure security of primitives

Proofs can potentially be automatized (theorem provers, model checkers)

Computational Approach

Concrete model

Powerful PPT adversaries

Clear definitions for the security of primitives

Complex protocols are difficult to analyze

Computational Soundness

Two types of security models

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method

Computational Soundness

Two ways of bridging the gap

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method

Apply methods/techniques from the red world directly in the blue world:

Bruno, Sylvain, Marion’s talks

Show that security in the red worldimplies

security in the blue world

Computational Soundness

Computational Soundness

1.Prove security in the symbolic model2.Apply the soundness theorem3.Deduce security in the computational model

Symbolic model

Security property

Symbolic proof

Computational model

Security property

Computationalproof

Soundness Theorems

Computational Soundness

Two types of security models

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method

Secu

rity

InS

ecu

rity

Secu

rity

Computational Soundness

Toy example

K K

A, N1

{N1, N2, Ks } K

{B, N2} Ks {D}Ks

A B

Is the data D secret?

Computational Soundness

Passive adversaries• A protocol run:

• Two interleaved sessions:

• Two interleaved sessions with corruption:

A, N1, {N1, N2, Ks }K, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks,{D1}Ks

A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks

A, N1, {N1, N2, Ks }K, Ks, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks, {D1}Ks

Computational Soundness

Defining secrecy, symbolically

To each expression associate a pattern:

For E={N1}K1,{{K1}K2

}K3,K3,{K3}K2

,

{{K1,N2}K3,K3}K2

patt(E)= ▓, {▓}K3, K3, ▓, ▓ (tentative

definition)patt(E)={N}K1,{{K0}K2

}K3,K3,{K0}K2

,{{K0,N}K0,K0 }K2

Computational Soundness

Defining secrecy, symbolically

• Definition: D is hidden in E if D does not occur in patt(E)

Is D1 secret in

A, N1, {N1, N2, Ks }K, {B, N2}Ks

{D1}Ks

Computational Soundness

Defining secrecy, computationally

Given:• a valuation f: {D1,D2,...} {0,1}n

• an encryption scheme = (Kg, Enc, Dec)

Define:[[ _ ]] : Expressions Distributions

f

A, N1, {N1, N2, Ks }K, {B, N2}Ks

{D1}Ks

Computational Soundness

Mapping expressions to (distributions on) bitstrings

{D1,{K5,N }K1}K1

[[ _ ]] : Expressions Distributions f

01000100…11011Kg

111101100…11101Kg

Enc( , ) 01000100…11011 11010101100…10001111101100…11101 00110100…11110

Blah…blah…(in binary)Enc( , )01000100…11011 11010101100…10001

11010101100…1000101010010100101111111111110100100101110100001101110000001010100001011101001

Blah…blah…(in binary)f

00110100…11110Rand

Computational Soundness

Defining secrecy, computationally

E={D1,{K5,N }K1}K1

[[ _ ]] : Expressions Distributions f

01000100…11011Kg

111101100…11101Kg

000101010000111f0

00110100…11110Rand

100110110001110f1

b=?

[[ E ]]

fb

Computational Soundness

Defining secrecy, computationally

Let E be an expression and an encryption scheme

The set T Data is computationally hidden in E if for any valuations

f0,f1 : Data {0,1}n

f0(D) = f1(D) for D Data -T

[[ E ]] ~ [[ E ]]

f0

f1

“~” means computational indistinguishability

Computational Soundness

Relation between two very different worlds?

• Is there a relation between the two notions of secrecy?

• More generally: what does security proved in the symbolic world mean for the computational world?

• Many symbolic versions of the same notion (e.g. two notions of patterns). Which one is right?

• Many security notions for the same primitive in the concrete world. Which one is right?

Computational Soundness

Let – E be an acyclic expression be an IND-CPA secure encryption scheme – arbitrary f: {D1,D2,…,Dn} {0,1}n .

Then:

Main technical result

[[ E ]]f ~ [[ patt(E) ]]f

{K}K

{K1}K2, {K2}K1

are not acyclic expressions

Computational Soundness

Proof idea

• Standard (but very general) hybrid argument

• Construct E1, E2, …, En such that – E1 = E– En = patt(E)– [[Ei]] ~ [[ Ei+1]]

• It is essential that E is acyclic

Computational Soundness

Soundness Theorem (Abadi, Rogaway (2000))

Let – Let E be an acyclic expression be an IND-CPA secure encryption scheme – Then:

T symbolically hidden in E T is computationally hidden in E

Computational Soundness

Proof

E[[ E ]]

f0

[[ E ]]f1

f0

f1

patt(E)[[ patt(E) ]]

f0

[[ patt(E) ]]

f1

f0

f1

Given: T is symbolically hidden in E (any D T does not occur in the pattern of E).

Want: Given any

f0,f1 : Data {0,1}n

f0(D) = f1(D) if D T then

[[ E ]]f0

[[ E ]]f1

indistinguishable from

Computational Soundness

Previous result an instance of:

Symbolic model

Security property

Symbolic proof

Computational model

Security property

Computationalproof

Soundness Theorems

Computational Soundness

(One) Hybrid argument

• E0 = {K1}K2, {K3}K1, {D}K3

• E1 = {K0}K2, {K3}K1, {D}K3

• E2 = {K0}K2, {K0}K1, {D}K3

• E3 = {K0}K2, {K0}K1, {D0}K3

Computational Soundness

(One) Hybrid argument

• E0 = {K1}K2, {K3}K1, {D}K3

• E1 = {K0}K2, {K3}K1, {D}K3

• E2 = {K0}K2, {K0}K1, {D}K3

• E3 = {K0}K2, {K0}K1, {D0}K3

An adversary that distinguishes between [[E0]] and [[E3]] must distinguish between [[Ei]] and [[Ei+1]] for

some i

Computational Soundness

(One) Hybrid argument

• E0 = {K1}K2, {K3}K1, {D}K3

• E1 = {K0}K2, {K3}K1, {D}K3

• E2 = {K0}K2, {K0}K1, {D}K3

• E3 = {K0}K2, {K0}K1, {D0}K3

Computational Soundness

(One) Hybrid argument

Enc(k,_)b

k0,k1

Enc (k,kb)

• Generate k0, k1, k3

• Send k0, k1

• Receive c• Compute c1=Enc(k1, k3)• Compute c2=Enc(k3,d)• Output (c,c1,c2)

c

• E0 = {K1}K2, {K3}K1, {D}K3

• E1 = {K0}K2, {K3}K1, {D}K3

Computational Soundness

Questions:• Is D1 secret in:

• Is D1 secret in :

• Are D1 and D2 secret in:

A, N1, {N1, N2, Ks }K, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks,{D1}Ks

A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks

A, N1, {N1, N2, Ks }K, Ks, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks, {D1}Ks

Computational Soundness

Some difficulties

• The usefulness of a soundness theorem increases with its generality

• Is D1 secret in – gx, N1, gy, {N1, Ks }g

xy, {D1}Ks

– gx, N1, gy, {N1, Ks }gx+y, {D1}Ks

– gx, gy, gz, gxy, {Ks }gxyz, {D1}Ks

• Deal with protocols where gx1x2+x2x3+…+xnx1 occurs• How about in

– gx, gy, {N1, Ks }gxy, {D1}Ks, H(N1, D1)

– gx, gy, N1, {Ks }gxy, {D1}Ks, H(N1, D1)

Computational Soundness

Some difficulties

• Intuition a la Dolev Yao models may not always be right!

• patt({D}K1 {D,D}K2) = ▓ , ▓ = patt({D}K1 {D}K1)

• There exists IND-CPA encryption schemes for which encryption with the same key can be observed1. Strengthen the notion of security for encryption in the

computational world

2. Refine the notion of patterns in the symbolic world

Computational Soundness

Acyclicity

• Intuition a la Dolev Yao models may be wrong! • Is D secret in {K}K, {D}K?• There exist IND-CPA encryption schemes which

are completely insecure if used as above

• Is D secret in {K1}K2, {K2}K1, {D}K?• …?• Solutions:

– declare the above use insecure– define and construct key-dependent encryption

Computational Soundness

Computational soundness

• Relates symbolic and computational models so that security results transfer

• Why should we care– Symbolic formalisms:

• Gives insight into models• Justifies the use of symbolic models in a very

strong sense

– Cryptography:• Symbolic models are simpler, easier to understand• For large protocols with complex interactions life is

simpler